Walking around a physical neighborhood, you can gather a lot ofinformation if you are open to it. On the Internet, it can be a verydifferent story. Imagine an office with a single PC, used in themorning by Albert and in the afternoon by Betty. Each has a differentaccount and logs out at the end of the shift. Albert and Betty workfrom the same physical place, and from the same IP address, but they mayhave very different experiences on the Internet, depending on what theydo.

Extend that to a data center hosting many companies. Each company'sservers may be separated by only a few feet, but how they experience theInternet, and how the Internet experiences them, can vary widely. Thephysical distance between the servers is irrelevant. What matters isthe hardware they are composed of, the operating systems that run onthem, the application server software, and the configuration data foreach of those things, plus all of the utility and ancillary softwareneeded to support and maintain them. The quality and quantity of users,as well as administrators, also matter a great deal.

HEARTBLEED

In spring 2014, a bug in the open-source package OpenSSL became widelyknown. The bug, now known as Heartbleed (http://heartbleed.com), hadbeen present for some time, and may have been known by some, but thefull disclosure of the problem in the OpenSSL package came to thepublic's attention only recently. OpenSSL had been reviewed by manyexperts and had been a well-used and trusted part of the Internetecosystem until that point. As of this writing, there is no evidencesuggesting any cause other than a programming error on the part of anOpenSSL contributor.

On the morning before the Heartbleed bug was made public, few peoplewere familiar with OpenSSL and they hardly gave the functions itprovided a second thought. Those who knew of it often had a stronglevel of trust in it. By the end of the day, that had all changed.Systems administrators and companies of all sizes were scrambling tocontain the problem. Within just a few days, this obscure piece ofspecialized software was at the top of the news cycle, andstrangers—perhaps sitting in outdoor cafes at tables they had reservedwith their house and car keys—were discussing it in the same tones withwhich they might have discussed other catastrophes.

SYSTEMS ADMINISTRATORS

At the heart of everything that works on the Internet are systemsadministrators. Sometimes they are skilled experts, sometimes low paidand poorly trained, sometimes volunteers of known or unknown provenance.Often they work long, unappreciated hours fixing problems behind thescenes or ones that are all too visible. They have access to systemsthat goes beyond that of regular users.

One such systems administrator worked for the NSA (National SecurityAgency). His name is Edward Snowden. You probably know more about himnow than you ever expected to know about any sysadmin, even if you areone yourself.

Another less familiar name is Terry Childs, a network administrator forthe city of San Francisco, who was arrested in 2008 for refusing todivulge the administrative passwords for the city's FiberWAN network.This network formed the core of many city services. According toreports, Childs, a highly qualified and certified network engineer whodesigned and implemented much of the city's network himself, was verypossessive of it—perhaps too possessive, as he became the soleadministrator of the network, claiming not to trust his colleagues'abilities. He allowed himself to be on-call 24/7, year-round, ratherthan delegate access to those he considered less qualified.

After an argument with a new boss who wanted to audit the networkagainst Childs's wishes, the city's CIO demanded that Childs provide theadministrative credentials to the FiberWAN. Childs refused, which ledto his arrest. Even after his arrest, Childs would not provideadministrative access to the network. Finally he relented and gave themayor of San Francisco the access credentials, ending the standoff.

His supervisors claimed he was crazy and wanted to damage the network.Childs claimed he did not want to provide sensitive access credentialsto unqualified individuals who might damage "his" network.

In 2010, Childs was found guilty of felony network tampering andsentenced to four years in prison and $1.5 million in restitution forthe costs the city incurred in regaining control of the network. Anappeals court upheld the verdict.

Post by Thad FloryanAnother less familiar name is Terry Childs, a network administratorfor the city of San Francisco, who was arrested in 2008 for refusingto divulge the administrative passwords for the city's FiberWANnetwork. This network formed the core of many city services.According to reports, Childs, a highly qualified and certifiednetwork engineer who designed and implemented much of the city'snetwork himself, was very possessive of it—perhaps too possessive, ashe became the sole administrator of the network, claiming not totrust his colleagues' abilities. He allowed himself to be on-call24/7, year-round, rather than delegate access to those he consideredless qualified.

At one company I worked at, they laid off the network administrator of aNovell Netware network. She wanted to debrief them on how to do thingsand provide them with the administrative passwords but they insistedthat they didn't need her to do that and walked her out of the building.

Then they started calling her about how to get into the network. Sheexplained that she was no longer employed by the company and thus shewas unable to provide any service but offered to come back as aconsultant for a few hours and provide them with the credentials. Theyrefused. They rebuilt their network from scratch somehow.

Post by Thad FloryanAnother less familiar name is Terry Childs, a network administrator forthe city of San Francisco, who was arrested in 2008 for refusing todivulge the administrative passwords for the city's FiberWAN network.This network formed the core of many city services. According toreports, Childs, a highly qualified and certified network engineer whodesigned and implemented much of the city's network himself, was verypossessive of itperhaps too possessive, as he became the soleadministrator of the network, claiming not to trust his colleagues'abilities. He allowed himself to be on-call 24/7, year-round, ratherthan delegate access to those he considered less qualified.

All that shows that he didn't give a damn for "his" network and thathe only cared about himself.

At about the same time, my health was not in the best condition. Therewas a very real possibility that I might be indisposed. I wouldgladly have passed responsibility for the various networks Imaintained to a backup admin, except that there was none. To insurecontinuity, I placed all the important information, including topologymaps, security info, passwords, kludges, and potential pitfalls in twosealed envelopes. One went to the company CEO. The other went to atrusted friend (who knew nothing about computers).

Roll forward about 2 years, and much of the information had becomeobsolete and erroneous. I asked for the envelopes back, to bereplaced by a later version. I demanded the old envelopes back beforeI replaced it with a later version. That went fairly smoothly exceptat one company.

Inside the envelopes, I had placed a sheet of sensitized photo paperas part of a "stiffener". With a few darkroom chemicals, I coulddetermine if the envelope had been opened. I would have used papersensitized with UV copier detection ink, but I couldn't find any atthe time. At this company, not only had the envelope been steamedopen, the contents copied, and resealed, but a document vaguelyresembling a badly written last will and testament was added. Itpronounced one of the clerks to be my heir apparent and to be given atrusted position. Syslog, utmp, and wtmp showed that some of thepasswords had been tested, but apparently nothing was changed. Idon't want to divulge what happened after that.

Incidentally, the worst security problem I had to deal with was acompany IT admin, who found it necessary to delegate root passwords tocontractors, such as myself, and then conscientiously changed thepassword after it was no longer needed. The problem was that he oftendid it in my presence, immediately after the job was done. I recordeda video of him typing in the new password (twice), and played it backto reveal the password. Finger hacking at its best. I also produceda report of when someone logged in as root, and from which vterm,which showed that I wasn't the only person who knew the trick. Despitemy warnings, this IT admin continued the practice. They mercifullytransferred to another department, where it was no longer my problem.

Being trusted also has its downsides. One of my customers from themid 1990's had me listed on an insurance audit as the "securityadministrator". The problem was that I hadn't done work for themsince about 2002, when they stupidly outsourced all their IT to acompany based on the east coast with tech support in India. Whilesecurity was no longer my responsibility, I continued to be listed asthe responsible person. I treated it as a joke until they had a majorsecurity breach and the investigators phoned me shopping for aculprit. Since I could potentially be incriminating myself, I refusedto say anything useful until I talked to my attorney and to thecurrent IT people. That put me at the top of the suspect list. Theproblem was that the outsourced IT company didn't bother to change anyof the server or router passwords, and that my ancient list ofpasswords was still mostly valid. Even added, replacement, andupgraded servers and routers used the same old passwords. I managedto convince both the police and the insurance company that I wasn'tinvolved, but it wasn't easy.

After that incident, I planned to adopt a scorched earth policy, whereafter leaving a company, I would threaten to publicly publish thepasswords on the internet if they didn't change them. That wouldprobably be a bad idea, but it sure is tempting.

Of course, I'm no paragon of virtue or security. I'm the keeper ofthe passwords and LAN for the local radio club. Due to temporaryinsanity, I placed the unencrypted password file (named passwords.txt)in the root directory of my publicly accessible web pile and forgotabout it. That was long enough for someone in Nigeria to find it,play with a few logins, change the Skype password, and then engage ina Skype chat demanding money for the new password. Oops. It took mea day to change all the other passwords, recover a few accounts, andget Google cache to delete it. It could have been much worse. Now, Idon't even trust myself.

At this company, not only had the envelope been steamed open, thecontents copied, and resealed, but a document vaguely resembling abadly written last will and testament was added. It pronounced oneof the clerks to be my heir apparent and to be given a trustedposition.

I hope the initials were DA... Society is better off if people likethat have a record, as a warning signpost for the future employers,that the person maybe not should be put in a position were trust isrequired.

Incidentally, the worst security problem I had to deal with was acompany IT admin, who found it necessary to delegate root passwords tocontractors, such as myself, and then conscientiously changed thepassword after it was no longer needed. The problem was that he oftendid it in my presence, immediately after the job was done. I recordeda video of him typing in the new password (twice), and played it backto reveal the password.

Gosh, I was brought up with a different set of ethics, and they are,someone types a password, you turn your head physically. At times Imight not, but, then I don't put into memory anything I see. I'm thesort of person that you can remote hands me and use a root passwordand I still won't know it. Just etiquette in my book.

After that incident, I planned to adopt a scorched earth policy, whereafter leaving a company, I would threaten to publicly publish thepasswords on the internet if they didn't change them. That wouldprobably be a bad idea, but it sure is tempting.

Yes, very bad idea. I'd do this instead, rotate the passwords suchthat you just don't know or have the new passwords. Brownie points ifthe system to do the rotation is secure and locks you out by designwhen you press the rotate now button. Or, two factor, design thesystem so that it is secure even when the passwords are known by all.For example, that password only works in this locked room that is onlyopenable by current IT staff or only works when a current IT staffauthenticates to the system first. Better if you can design a systemthat requires a per user and then securly log that and have thatassociated with the root password use. Then, when you leave, thedefense is, but I no long have the key to the room, or, did you checkthe auth log to see which user typed the root password yet; I can tellyou where it is. The usual auditor will accept that, and to provethere is an insecurity in _that_ system, they then need to pull in amuch higher priced security auditor, that one can then determine thatwhat you said is true, and that you could not have done it. Yes, thismeans, no back doors, no secret ways in. You want that, put it in aopen in case of emergency and put in CEOs safe. Someone gets lockedout, they call you, tell them to go to CEO.

Also, for a cold call on the phone, I would say, I'm sorry, but I am asecurity minded professional and I can't talk to you at all withoutfirst validating who you are and what amount of data the company willallow me to divulge to you. Heck, I don't even allow people I dobusiness with to social engineer data out of me, they call me, andthen they want me to prove who I am. No dice, I tell them, theycalled me, and they have to prove to me who they are, before I willprove who I am. I find it amazing that people just expect to be ableto call me any get sensitive info out of me.

Now, I don't even trust myself.

:-) The reality is that computers can and will be hacked, and as timegoes on, more and more will get hacked. The insanity is to assumethat any computers or networks are secure. One danger in life issomeone thinking or assuming they are secure. I see a hacking attemptcame from you; you explain, no, it came from my computer.

For example, I bought a LG smart TV recently, not cause I wanted it,but because it is what the store sold. It wanted to be on thenetwork, so I let it. I know enough to know the TV spys on us, and isinsecure and will always remain so unless a hacker secures it, usuallythey don't. The danger is, people doing bad things from from my IPaddress (thanks NAT), and me somehow having to pay the price forhaving bought the TV. Oh well, life goes on.

Post by Mike StumpGosh, I was brought up with a different set of ethics, and they are,someone types a password, you turn your head physically. At times Imight not, but, then I don't put into memory anything I see. I'm thesort of person that you can remote hands me and use a root passwordand I still won't know it. Just etiquette in my book.

I'm that way myself. Even within a customer's presence, if I have to use apassword once I promptly forget it, and if I need it again, I ask again. Asa rule I do not write down customer passwords, unless they've specificallytold me to do so. More than once I've had a customer call me frantic thatthey didn't know their password for something. Well, if it's Windows, Ihave password removal tools, and for a simple router I can reset, both ofwhich I charge for. But beyond that, well, they're SOL.

---This email is free from viruses and malware because avast! Antivirus protection is active.http://www.avast.com